$5.5 Million Settlement Related to Audit Controls
In a case that highlights the need for proper audit controls, Florida’s Memorial Healthcare System (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential HIPAA violations. The health system also agreed to implement what HHS calls a “robust” corrective action plan.
MHS is a nonprofit corporation that operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary healthcare facilities throughout the South Florida area. It also is affiliated with many physician practices.
MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and Social Security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.
“Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying, and/or terminating users’ right of access, as required by the HIPAA rules,” HHS reports. “Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.”
In a statement accompanying the settlement announcement, Acting Director of HHS OCR Robinsue Frohboese, emphasized that organizations must implement audit controls and review audit logs regularly.
“As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen,” she said.
The Resolution Agreement and Corrective Action Plan are available online at: http://bit.ly/2lTte2A.
In a case that highlights the need for proper audit controls, Florida’s Memorial Healthcare System (MHS) has paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential HIPAA violations.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.